{"id":230582,"date":"2026-04-02T15:30:00","date_gmt":"2026-04-02T19:30:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/02\/hackers-exploit-cve-2025-55182-to-breach-766-next-js-hosts-steal-credentials\/"},"modified":"2026-04-02T21:00:13","modified_gmt":"2026-04-03T01:00:13","slug":"hackers-exploit-cve-2025-55182-to-breach-766-next-js-hosts-steal-credentials","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/02\/hackers-exploit-cve-2025-55182-to-breach-766-next-js-hosts-steal-credentials\/","title":{"rendered":"Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/hackers-exploit-cve-2025-55182-to.html\">Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/hackers-exploit-cve-2025-55182-to.html\">https:\/\/thehackernews.com\/2026\/04\/hackers-exploit-cve-2025-55182-to.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-02 15:30:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Apr 02, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Threat Intelligence<\/span><\/p>\n<p>A\u00a0large-scale credential harvesting operation\u00a0has been\u00a0observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at\u00a0scale.<\/p>\n<p>Cisco\u00a0Talos has attributed the operation to a threat cluster it tracks\u00a0as <strong>UAT-10608<\/strong>. At\u00a0least 766 hosts spanning multiple geographic regions and cloud providers\u00a0have been compromised as part\u00a0of the\u00a0activity.<\/p>\n<p>&#8220;Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications,\u00a0that are then\u00a0posted to its command-and-control (C2),&#8221; security researchers\u00a0 Asheer Malhotra and Brandon\u00a0White said in a report shared with The Hacker News ahead of publication.<\/p>\n<p>&#8220;The C2 hosts a web-based graphical user interface (GUI) titled &#8216;NEXUS Listener&#8217; that\u00a0can be\u00a0used to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised.&#8221;<\/p>\n<p>The\u00a0campaign is\u00a0assessed to be targeting Next.js\u00a0applications that are vulnerable\u00a0to CVE-2025-55182 (CVSS score: 10.0), a critical flaw in React Server Components and Next.js\u00a0App Router that could result in remote code execution, for initial access, and then dropping the NEXUS Listener collection framework.<\/p>\n<p>This\u00a0is accomplished by means of a dropper that proceeds to deploy a multi-phase harvesting script that collects various details from the compromised system\u00a0&#8211;<\/p>\n<ul>\n<li>Environment variables<\/li>\n<li>JSON-parsed environment from JS runtime<\/li>\n<li>SSH private keys and authorized_keys<\/li>\n<li>Shell command history<\/li>\n<li>Kubernetes service account tokens<\/li>\n<li>Docker container configurations (running containers, their images, exposed ports, network configurations, mount points, and environment variables)<\/li>\n<li>API keys<\/li>\n<li>IAM role-associated temporary credentials by querying the Instance Metadata&#8230;<\/li>\n<\/ul>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/hackers-exploit-cve-2025-55182-to.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials https:\/\/thehackernews.com\/2026\/04\/hackers-exploit-cve-2025-55182-to.html Publish Date: 2026-04-02 15:30:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":230583,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj8T48UROZtSjRXtkxVcNT2VmXbB1texWQPAqLbm06uwmJ8VsYFb_HeXOnZx9uz9QL-LB3aWdwcLm9TbuRler7w7jjXJlL_tQweQualaW4XEVav7Ysulqx_CJyc9a0P1dO1a69W_eQhroxV1LA_p5VB9T38Xubc3zXHgwd-4sAAc2whuv4ElnC5WtFSn7SH\/s1600\/nextjs.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,31,35,27],"class_list":["post-230582","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-exploit","tag-hacker","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230582"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=230582"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230582\/revisions"}],"predecessor-version":[{"id":230584,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230582\/revisions\/230584"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/230583"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=230582"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=230582"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=230582"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}